Yiiframework Yii

Yii 2 <=2.0.51 __class behavior attach flaw CVE-2024-58136
CVE-2024-58136 9 - Critical - April 10, 2025

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Improper Protection of Alternate Path

Yii2 <2.0.39 Remote Deserialization via PHPUnit MockObject Generate
CVE-2025-2690 9.8 - Critical - March 24, 2025

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Marshaling, Unmarshaling

Yii2 <=2.0.45 Remote Deserialization via SortableIterator
CVE-2025-2689 9.8 - Critical - March 24, 2025

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Marshaling, Unmarshaling

Yii2 2.0.48 Component::__set Allows Arbitrary Instantiation
CVE-2024-4990 9.1 - Critical - March 20, 2025

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.

Reflection Injection

Yii 1.1.28 RCE via unserialize before 1.1.29
CVE-2023-47130 9.8 - Critical - November 14, 2023

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Yii2 2.x Before 2.0.5 Remote Local File Inclusion via ViewAction
CVE-2015-5467 9.8 - Critical - September 21, 2023

web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

Directory traversal

Yii2 2.0.45 XSS via /books endpoint (disputed)
CVE-2022-31454 6.1 - Medium - July 28, 2023

Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2.

XSS

Yii2 SQLi via runAction before 2.0.47
CVE-2023-26750 9.8 - Critical - April 04, 2023

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.

SQL Injection

Yii 1.1.x RCE via unserialize() before 1.1.27
CVE-2022-41922 9.8 - Critical - November 23, 2022

`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.

Marshaling, Unmarshaling

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVE-2021-3692 5.3 - Medium - August 10, 2021

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

Use of Insufficiently Random Values

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVE-2021-3689 7.5 - High - August 10, 2021

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

Use of Insufficiently Random Values

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input
CVE-2020-15148 10 - Critical - September 15, 2020

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Marshaling, Unmarshaling

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value
CVE-2018-20745 - January 28, 2019

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15
CVE-2018-7269 - March 21, 2018

The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.

Yii 2.x before 2.0.15
CVE-2018-8073 - March 21, 2018

Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.

Yii 2.x before 2.0.15
CVE-2018-8074 - March 21, 2018

Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.